Ben Caller

**Name of the Vulnerable Software and Affected Versions** ansi-html (affected versions not specified) **Description** The issue arises when an attacker provides a malicious string, causing the system to get stuck processing the input for an extremely long time. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RestSharp versions prior to 106.11.8-alpha.0.13 **Description** The issue arises from a vulnerable regular expression used when converting strings into DateTimes, making it susceptible to Regular Expression Denial of Service (ReDoS). If a server responds with a malicious string, the client using the affected software will be stuck processing it for an exceedingly long time, allowing the remote server to trigger a Denial of Service. **Recommendations** For versions prior to 106.11.8-alpha.0.13, update to version 106.11.8-alpha.0.13 or later to resolve the issue. As a temporary workaround, consider restricting the use of the DateTime conversion function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ua-parser-js versions 0.7.14 through 0.7.23 **Description** The issue is related to an uncontrolled resource consumption vulnerability in the ua-parser-js library. It can be exploited by a remote attacker to cause a denial of service. The vulnerability arises from a regular expression that is vulnerable to denial of service attacks. If an attacker sends a malicious User-Agent header, the library will get stuck processing it for an extended period. **Recommendations** For versions 0.7.14 through 0.7.23, update to version 0.7.24 to resolve the issue. As a temporary workaround, consider restricting access to the `User-Agent` header to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: markdown2 versions 1.0.1.18 through 2.3.x Description: The issue allows an attacker to cause a denial of service by providing a malicious string, making markdown2 processing difficult or delayed for an extended period. This occurs due to a regular expression denial of service vulnerability. Recommendations: For markdown2 versions 1.0.1.18 through 2.3.x, update to version 2.4.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** httplib2 versions prior to 0.19.0 **Description** A malicious server which responds with long series of `xa0` characters in the `www-authenticate` header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. The issue arises due to catastrophic backtracking in the vulnerable regular expression, leading to cubic complexity and significant processing delays. **Recommendations** For versions prior to 0.19.0, update to version 0.19.0, which contains a new implementation of auth headers parsing using the pyparsing library. As a temporary workaround, consider setting `httplib2.USE WWW AUTH STRICT PARSING` to `True` to mitigate the issue.

Name of the Vulnerable Software and Affected Versions: CairoSVG versions prior to 2.5.1 Description: The issue is related to a regular expression denial of service (REDoS) vulnerability in CairoSVG, a Python package used for converting SVG files. When processing SVG files, CairoSVG uses two regular expressions that are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can cause CairoSVG to get stuck processing the file for a very long time. The vulnerability is caused by the complexity of the regular expressions, which can lead to catastrophic backtracking when processing a long string of spaces. The complexity is cubic, meaning that doubling the length of the malicious string of spaces makes processing take 8 times as long. Recommendations: For versions prior to 2.5.1, update to version 2.5.1 or later to fix the regular expression denial of service (REDoS) vulnerability. As a temporary workaround, consider avoiding the use of the vulnerable regular expressions in the `colors.py` file until a patch is available. Restrict access to the `cairosvg` package to minimize the risk of exploitation. Avoid using malicious SVG files that can cause the package to get stuck processing the file for a very long time.

**Name of the Vulnerable Software and Affected Versions** Pygments versions 1.1 through 2.7.3 **Description** The issue is related to the use of regular expressions in the Pygments syntax highlighting program. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. **Recommendations** For Pygments versions 1.1 through 2.7.3, update to version 2.7.4 to resolve the issue. As a temporary workaround, consider restricting the input to the lexers to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** uap-core versions prior to 0.7.3 **Description** The issue allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This is due to some regexes being vulnerable to regular expression denial of service (REDoS) because of overlapping capture groups. Each vulnerable regular expression contains 3 overlapping capture groups, and backtracking has approximately cubic time complexity with respect to the length of the user-agent string. **Recommendations** Update uap-core to version 0.7.3 or later to resolve the issue. As a temporary workaround, consider restricting the length of the User-Agent header in HTTP(S) requests to prevent exploitation. Additionally, disabling or restricting the use of the vulnerable regexes can help minimize the risk of exploitation until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Python versions 2.7 through 2.7.17 Python versions 3.5 through 3.5.9 Python versions 3.6 through 3.6.10 Python versions 3.7 through 3.7.6 Python versions 3.8 through 3.8.1 **Description** The issue is related to an uncontrolled consumption of resources in the Python interpreter. It allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of `urllib.request.AbstractBasicAuthHandler` catastrophic backtracking. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For Python versions 2.7 through 2.7.17, consider disabling the `urllib.request.AbstractBasicAuthHandler` to minimize the risk of exploitation until a patch is available. For Python versions 3.5 through 3.5.9, consider disabling the `urllib.request.AbstractBasicAuthHandler` to minimize the risk of exploitation until a patch is available. For Python versions 3.6 through 3.6.10, consider disabling the `urllib.request.AbstractBasicAuthHandler` to minimize the risk of exploitation until a patch is available. For Python versions 3.7 through 3.7.6, consider disabling the `urllib.request.AbstractBasicAuthHandler` to minimize the risk of exploitation until a patch is available. For Python versions 3.8 through 3.8.1, consider disabling the `urllib.request.AbstractBasicAuthHandler` to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider restricting access to the vulnerable `urllib.request` module to minimize the risk of exploitation.